Security Information#
Updated the following middleware component versions to enhance security and performance in MSR:
- [MSRH-732] Golang v1.25.11
- [MSRH-833] Immutable.js v3.8.3
Resolved CVEs#
| CVE | Image mitigated | Problem details |
|---|---|---|
| CVE-2026-9150 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/registry-photon |
A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. |
| CVE-2026-9149 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/registry-photon |
A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). |
| CVE-2026-9076 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). |
| CVE-2026-8643 | harbor/prepare | pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory. |
| CVE-2026-7598 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue. |
| CVE-2026-7383 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. |
| CVE-2026-7168 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB. |
| CVE-2026-7009 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine. |
| CVE-2026-6732 | harbor/harbor-db | A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable. |
| CVE-2026-6357 | harbor/prepare | pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation. |
| CVE-2026-6100 | harbor/prepare | Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable. |
| CVE-2026-6019 | harbor/prepare | http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. |
| CVE-2026-5928 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. |
| CVE-2026-5450 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. |
| CVE-2026-46598 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. |
| CVE-2026-46597 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. |
| CVE-2026-46595 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. |
| CVE-2026-45447 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. |
| CVE-2026-45446 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. |
| CVE-2026-45445 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. |
| CVE-2026-45186 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. |
| CVE-2026-42770 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. |
| CVE-2026-42769 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. |
| CVE-2026-42768 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. |
| CVE-2026-42767 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. |
| CVE-2026-42766 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. |
| CVE-2026-42765 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process. |
| CVE-2026-42764 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. |
| CVE-2026-42508 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked. |
| CVE-2026-42507 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. |
| CVE-2026-42506 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-42504 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. |
| CVE-2026-42502 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-42499 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. |
| CVE-2026-42011 | harbor/harbor-db harbor/harbor-log |
A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. |
| CVE-2026-42010 | harbor/harbor-db harbor/harbor-log |
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. |
| CVE-2026-41889 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2. |
| CVE-2026-39836 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). |
| CVE-2026-39835 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. |
| CVE-2026-39834 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. |
| CVE-2026-39833 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. |
| CVE-2026-39832 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. |
| CVE-2026-39831 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. |
| CVE-2026-39830 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. |
| CVE-2026-39829 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. |
| CVE-2026-39828 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. |
| CVE-2026-39827 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection. |
| CVE-2026-39826 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. |
| CVE-2026-39825 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. |
| CVE-2026-39824 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error. |
| CVE-2026-39823 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's |
| CVE-2026-39821 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com". |
| CVE-2026-39820 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. |
| CVE-2026-3833 | harbor/harbor-db harbor/harbor-log |
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. |
| CVE-2026-34743 | harbor/harbor-core harbor/harbor-portal harbor/nginx-photon |
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3. |
| CVE-2026-34183 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. |
| CVE-2026-34182 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. |
| CVE-2026-34181 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. |
| CVE-2026-34180 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. |
| CVE-2026-33846 | harbor/harbor-db harbor/harbor-log |
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption. |
| CVE-2026-33845 | harbor/harbor-db harbor/harbor-log |
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. |
| CVE-2026-33814 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. |
| CVE-2026-33811 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. |
| CVE-2026-32952 | harbor/harbor-core | go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue. |
| CVE-2026-32286 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic. |
| CVE-2026-3219 | harbor/prepare | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both. |
| CVE-2026-3087 | harbor/prepare | If shutil.unpack_archive() is given a ZIP archive with an absolute Windows path containing a drive (C:\\...) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. |
| CVE-2026-27171 | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/registry-photon harbor/trivy-adapter-photon |
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. |
| CVE-2026-27145 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon |
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. |
| CVE-2026-27136 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-25681 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-25680 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice |
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. |
| CVE-2026-2297 | harbor/prepare | The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. |
| CVE-2026-11824 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/registry-photon harbor/trivy-adapter-photon |
SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5. |
| CVE-2026-11822 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/registry-photon harbor/trivy-adapter-photon |
SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database. |
| CVE-2026-0992 | harbor/harbor-db | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated |
| CVE-2026-0990 | harbor/harbor-db | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. |
| CVE-2026-0989 | harbor/harbor-db | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested |
| CVE-2025-9714 | harbor/harbor-db | Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled. |
| CVE-2025-8732 | harbor/harbor-db | A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all." |
| CVE-2025-69720 | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/registry-photon harbor/trivy-adapter-photon |
The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. |
| CVE-2025-13462 | harbor/prepare | The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. |
| CVE-2022-49043 | harbor/harbor-db | xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. |
| CVE-2022-29824 | harbor/harbor-db | In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf) and tree.c (xmlBuffer) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. |
| CVE-2022-23308 | harbor/harbor-db | valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
| CVE-2021-3541 | harbor/harbor-db | A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. |
| CVE-2021-3537 | harbor/harbor-db | A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. |
| CVE-2021-3518 | harbor/harbor-db | There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. |
| CVE-2021-3517 | harbor/harbor-db | There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. |
| CVE-2021-3516 | harbor/harbor-db | There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. |
| CVE-2020-7595 | harbor/harbor-db | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. |
| CVE-2020-24977 | harbor/harbor-db | GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. |
| CVE-2019-20388 | harbor/harbor-db | xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. |
| CVE-2019-19956 | harbor/harbor-db | xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. |
| CVE-2016-3709 | harbor/harbor-db | Possible cross-site scripting vulnerability in libxml after commit 960f0e2. |
| CVE-2024-55565 | "nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. |